The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent. The Bill was passed with virtually no amendment.
Main objectives of the Bill
As discussed in our previous article, the main objectives of the Bill are to increase maximum penalties that can be applied under the Privacy Act 1988 (Cth) (Privacy Act) for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:
- $50 million;
- three (3) times the value of any benefit obtained through the misuse of information; or
- 30% of a company’s adjusted turnover in the relevant period.
The Bill now also:
- provides the Australian Information Commissioner with greater powers to resolve privacy breaches;
- strengthens the Notifiable Data Breaches Scheme to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in each breach to assess the risk of harm to individuals;
- equips the Australian Information Commissioner and the Australian Communications and Media Authority (ACMA) with greater information sharing powers; and
- amends the Privacy Act’s extraterritorial provisions, so that “even if foreign organisations do not collect or hold Australians’ information directly from a source in Australia, they must still meet the obligations under the Privacy Act so long as they ‘carry on a business’ in Australia.
Disputes with section 13G of the Bill
While most participating stakeholders approved of the Bill, several shortcomings were highlighted. The new penalty framework including the concept of a “benefit” derived from a data breach was questioned. The Law Council and Business Council of Australia expressed the concern of quantifying an exact “benefit” obtained from a privacy breach. In this instance the Attorney-General’s Department (AGD) had said that there was no intention to suggest that a ‘benefit’ occurred in all instances of a data breach. Instead where there is no evident benefit, the first branch of the $50 million penalty is triggered. Another concern raised was that the maximum penalties were too high for the following reasons:
- they would apply in multiple data breach contexts ; and
- they would be applied to small business and even charitable organisations in certain instances.
In response to this, the Australian Privacy Commissioner, Angelene Falk acknowledged that the penalties would apply as stated above however, it was claimed that the method of civil penalties would always be the relied upon enforcement option by the Office of the Australian Information Commissioner (OAIC).
OAIC’s response
The OAIC has welcomed the Bill with Angelene Falk stating
“The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation.”
What does this means for Australian businesses?
The Privacy Act is applicable to businesses with an annual turnover of $3 million or more. If your business is governed by the Act, they should take reasonable steps to ensure they are compliant with the Australian Privacy Principles (APPs). This can include:
- ensuring adequate security systems are in place to protect against unauthorised access, use or loss of data;
- developing and implementing response plans in line with the Notifiable Data Breach requirements to prevent and control data breaches, should they occur; and
- preparing, adopting and publishing a Privacy Policy that complies with Australian privacy law.
Takeaways
It’s been said that the intention of the Australian government was that the Bill would be the first stepping stone into the “great pool” of privacy legislation reform. It does seem quite coincidental that the increased penalties happen to coincide neatly with the recent large-scale data breaches of Optus and Medibank. Whether a larger penalty regime will stimulate investment in more robust IT systems is difficult to anticipate.
Links and further references
Legislation
Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
Further information about privacy compliance
If you are a business and need advice on compliance with privacy laws, contact us for a confidential and obligation-free discussion:
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
Related insights about privacy compliance
-
Privacy Act amended to increase penalties up to $50 million
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent. The Bill was passed with virtually no amendment.
-
What should APP Entities include in a data destruction policy?
This article summarises the Australian Privacy Principles (APPs) and the importance of having a data destruction policy (DDP) in place. It outlines the steps to take when destroying or deidentifying personal and sensitive information, and the consequences of not doing so.
-
Uber breaches Australian privacy laws
This article provides an overview of interesting decisions of Australian Courts in Corporate Law, Technology Law and Intellectual Property. With cases on Trade Marks, Copyright, Defamation, Negligence, Joint Ventures and Confidential Information, it is an invaluable resource for anyone interested in these areas.
-
International companies can be bound by Australian privacy laws
Australian Intelligence Community (AIC) Commissioner Falk determined how the Office of the Australian Information Commissioner (OAIC) will assess if international entities have an Australian Link to Privacy Act 1988 (Cth).
-
Are your privacy practices compliant with the amended Privacy Act 1988 (Cth)?
Organisations must act ensure compliance with the Privacy Act 1988 (Cth) reforms. Learn more about the thirteen new Australian Privacy Principles (APP’s) the penalties for non-compliance, and the steps you can take to protect your business.
